Allen,
Looks like an excellent first draft. Here are a few modifications I'd
find helpful.
1) Might mention in the logout section for users that closing a
browser will also (generally, thanks Firefox) terminate session cookies.
2) I think authentication session duration is very deployment-
specific and it would be difficult to make any general recommendations.
3) I don't think the discussion of the benefits of https for user
authentication to the OP is given enough emphasis. It would be nice
to state clearly the protection against MITM, promiscuous listeners,
etc. that https provides, so that OP's realize exactly what protection
TLS/SSL offers.
4) I'd disentangle the wording about RP/OP trust from the specific
point about PAPE. Provider trust is a more general topic that is
really important, and I think it merits its own section. I'm happy to
draft that if you'd like.
5) For account linking, I'd clarify the text that so the need to
authenticate the user separately from the assertion is explicit.
6) Pull the replay warning into its own bullet, and mention the use
of a timestamp to bound the time nonces must be stored for.
7) Is it worth mentioning more generally anything about session or
assertion hijacking and possible countermeasures?
Thanks for writing it,
Nate.
On Jun 8, 2009, at 9:03 PM, Allen Tom wrote:
Hi All,
As part of the OpenID 2.1 Working Group proposal, I've been
nominated to edit the OpenID Security Best Practices document, which
will be a living document that contains security related best
practices as determined by the community.
Although we haven't officially kicked off the OpenID 2.1 WG yet,
OpenID has been gaining a lot of momentum and interest lately, so
it's definitely time to start writing it.
Here's a very rough draft that captures many security related
discussions that we've had on the OpenID mailing lists and also at
meetups like the Internet Identity Workshop.
http://wiki.openid.net/OpenID-Security-Best-Practices
Feedback and suggestions are more than welcome. As mentioned, this
is intended to be a living document, so we fully expect the document
to continue to evolve over time.
Thanks
Allen
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
